malwarewikiaorg-20200223-history
SQL Slammer
SQL Slammer (also known as Helkern '''or Sapphire') is a worm that caused about 1 billion dollars in damage. It was created in 2003, and affects the Microsoft Windows OS. The cause was a exploit with the buffer overflow bug in Microsoft's SQL Server and Desktop Engine database products There was a patch available six months before the worm had attacked, however most organizations hadn't installed it yet. Technical details The worm was based on proof of concept code demonstrated at the Black Hat Briefings by David Litchfield, who had initially discovered the buffer overflow vulnerability that the worm exploited.2 It is a small piece of code that does little other than generate random IP addresses and send itself out to those addresses. If a selected address happens to belong to a host that is running an unpatched copy of Microsoft SQL Server Resolution Service listening on UDP port 1434, the host immediately becomes infected and begins spraying the Internet with more copies of the worm program. Home PCs are generally not vulnerable to this worm unless they have MSDE installed. The worm is so small that it does not contain code to write itself to disk, so it only stays in memory, and it is easy to remove. For example, Symantec provides a free removal utility (see external link below), or it can even be removed by restarting SQL Server (although the machine would likely be reinfected immediately). The worm was made possible by a software security vulnerability in SQL Server first reported by Microsoft on 24 July 2002. A patch had been available from Microsoft for six months prior to the worm's launch, but many installations had not been patched – including many at Microsoft.3 The worm began to be noticed early on 25 January 2003b as it slowed down systems worldwide. The slowdown was caused by the collapse of numerous routers under the burden of extremely high bombardment traffic from infected servers. Normally, when traffic is too high for routers to handle, the routers are supposed to delay or temporarily stop network traffic. Instead, some routers ''crashed (became unusable), and the "neighbour" routers would notice that these routers had stopped and should not be contacted (aka "removed from the routing table"). Routers started sending notices to this effect to other routers they knew about. The flood of routing table update notices caused some additional routers to fail, compounding the problem. Eventually the crashed routers' maintainers restarted them, causing them to announce their status, leading to another wave of routing table updates. Soon a significant portion of Internet bandwidth was consumed by routers communicating with each other to update their routing tables, and ordinary data traffic slowed down or in some cases stopped altogether. Because the SQL Slammer worm was so small in size, sometimes it was able to get through when legitimate traffic was not. The worm heavily slowed down the Internet traffic, and crashed multiple servers. The worm infected the servers over UDP and fit themselves into a single packet, thereby slipping through all the ports and spy on them over the Internet traffic and routers not functioning. History 2003 This worm created major problems during that year and resulted in the worst case scenario in the attack field. A few victims of its attack were; Bank of America's ATM systems, a 911 emergency response system in Washington State, and a nuclear plant in Ohio. 2016 More than a decade later, SQL Slammer comes back attacking ancient SQL servers.Category:Virus Category:Billion dollar damage Category:Worm Category:Microsoft Windows Category:Win32 Category:Win32 worm Category:Internet worm Category:High profile damage Category:Network Virus